GuideReference
Guide

Rate policy

Available rate policy property options.

Base structure

A JSON file used to define rate policy properties and property values looks similar to this.

{
  "additionalMatchOptions": [{
    "positiveMatch": true,
    "type": "ResponseStatusCondition",
    "values": ["400", "401", "402", "403", "404", "405", "406", "407", "408", "409", "410", "500", "501", "502", "503", "504"]
  }],
  "averageThreshold": 5,
  "burstThreshold": 8,
  "burstWindow": 3,
  "clientIdentifier": "ip",
  "condition": {
    "atomicConditions": [
      {
        "className": "TlsFingerprintCondition",
        "positiveMatch": true,
        "value": [
          "a123vc456de789fg",
          "ba21dc3e87654f7g8h90i123456j7k8"
        ]
      },
      {
        "className": "ClientReputationCondition",
        "name": [
          "DOSATCK",
          "WEBATCK"
        ],
        "positiveMatch": true,
        "sharedIpHandling": "BOTH",
        "value": 3
      },
      {
        "className": "RequestHeaderCondition",
        "name": [
          "Accept",
          "Content-Type"
        ],
        "nameWildcard": true,
        "positiveMatch": true,
        "value": [
          "json",
          "xml"
        ],
        "valueCase": false,
        "valueWildcard": true
      }
    ],
    "positiveMatch": true
  },
  "description": "An excessive error rate from the origin could indicate malicious activity by a bot scanning the site or a publishing error. In both cases, this would increase the origin traffic and could potentially destabilize it.",
  "matchType": "path",
  "name": "HTTP Response Codes",
  "pathMatchType": "Custom",
  "pathUriPositiveMatch": true,
  "requestType": "ForwardResponse",
  "sameActionOnIpv6": true,
  "type": "WAF",
  "useXForwardForHeaders": false
}

Required properties

PropertyDescription
averageThresholdMaximum number of allowed hits per second during any two-minute interval.
burstThresholdMaximum number of allowed hits per second during any five-second interval.
clientIdentifierIdentifier used to identify and track request senders; this value is required only when using Web Application Firewall. Allowed values are:
  • api-key. Supported only for API match criteria.
  • ip-useragent. Typically preferred over ip when identifying a client.
  • ip. Identifies clients by IP address.
  • cookie:value. Helps track requests over an individual session, even if the IP address changes.
matchTypeIndicates the type of path matched by the policy allowed values are:
  • path. Matches website paths.
  • api. Matches API paths.
nameUnique name assigned to a rate policy.
pathMatchTypeType of path to match in incoming requests. Allowed values are:
  • AllRequests. Matches an empty path or any path that ends in a trailing slash
  • TopLevel. Matches top-level hostnames only.
  • Custom. Matches a specific path or path component. This property is only required when the matchType is set to path.
    requestTypeType of request to count towards the rate policy's thresholds. Allowed values are:
    • ClientRequest. Counts client requests to edge servers.
    • ClientResponse. Counts edge responses to the client.
    • ForwardResponse. Counts origin responses to the client.
    • ForwardRequest. Counts edge requests to your origin.
    sameActionOnIpv6Indicates whether the same rate policy action applies to both IPv6 traffic and IPv4 traffic.
    typeRate policy type. Allowed values are:
    • WAF. Web Application Firewall.
    • BOTMAN. Bot Manager.

    Optional properties

    PropertyDescription
    burstWindowThe time span for the burstThreshold interval.

    For existing rate policies, analyze your traffic in Alert mode before you reduce the measure window from 5 seconds.
    conditionAn object containing the criteria that trigger a rate policy.
    • positiveMatch. Whether the condition for a match triggers on true or lack of match false.
    • atomicConditions. An array of your trigger conditions. Include one or all of the condition type objects:

        Request headers condition object

        • className. Required. The condition type. Value is RequestHeaderCondition.
        • name. Required. An array of header names. This property checks for the existence of the header. Use with value to check if the header is a match.
        • nameWildcard. Whether to interpret ? and * as wildcards.
        • positiveMatch. Whether the condition for a match triggers on true or lack of match false
        • value. An array of header values. Use with name to check both existence and match.
        • valueCase. Whether to consider case sensitivity of header values.
        • valueWildcard. Whether to interpret ? and * as wildcards.

        TLS fingerprint condition object

        • className. Required. The condition type. Value is TlsFingerprintCondition.
        • positiveMatch. Whether the condition for a match triggers on true or lack of match false.
        • value. Required. An array of TLS fingerprints.

        Client reputation condition object

        • className. Required. The condition type. Value is ClientReputationCondition.
        • name. Required. An array of reputation category strings. WBSCRP for webs scrapers or crawlers. DOSATCK for DoS attackers. WEBATCK for Web attackers. SCANTL for scanning tools.
        • positiveMatch. Whether the condition for a match triggers on true or lack of match false.
        • sharedIpHandling. Required. The shared IP status. Values are SHARED_ONLY, NON_SHARED, BOTH.
        • value. Required. The threshold value that causes the trigger.
    descriptionDescriptive text about the policy.
    hostnamesArray of hostnames that trigger a policy match. If a hostname is not in the array then that request is ignored by the policy.
    pathUriPositiveMatchIndicates whether the policy is triggered if a match is found.
    useXForwardForHeadersIndicates whether the policy checks the contents of the X-Forwarded-For header in incoming requests.

    additionalMatchOptions

    Specifies additional matching conditions for the rate policy.

    PropertyRequiredDescription
    properties✔️Match condition type. Allowed values are:
    • IpAddressCondition
    • NetworkListCondition
    • RequestHeaderCondition
    • RequestMethodCondition
    • ResponseStatusCondition
    • UserAgentCondition
    • AsNumberCondition
    positiveMatch✔️Indicates the match condition for a policy's trigger.
    values✔️List of values to match.

    apiSelectors

    Specifies the API endpoints to match on. Note that this object can only be used if the matchType is set to api.

    PropertyRequiredDescription
    apiDefinitionId✔️Unique identifier of the API endpoint.
    resourceIdsUnique identifiers of one or more API endpoint resources.
    undefinedResourcesIf true, matches any resource not explicitly added to your API definition without having to include the resource ID. If false, matches only those undefined resources listed in the resourceIds property.
    definedResourcesIf true, this matches any resource explicitly added to your API definition without having to include the resource ID. If false, matches only those defined resources listed in the resourceIds property.

    bodyParameters

    Specifies the request body parameters on which to match.

    PropertyRequiredDescription
    name✔️Body parameter name to match.
    values✔️Body parameter values to match.
    positiveMatchIndicates the match condition for a policy's trigger.
    valueInRangeWhen true, this matches values inside the values range. Note that your values must be specified as a range to use this property. When false this matches values that fall outside the specified range.

    fileExtensions

    Specifies the file extensions on which to match.

    PropertyRequiredDescription
    positiveMatch✔️Indicates the match condition for a policy's trigger.
    values✔️List of file extensions to match.

    path

    PropertyRequiredDescription
    positiveMatch✔️Indicates the match condition for a policy's trigger.
    values✔️List of paths to match.

    queryParameters

    PropertyRequiredDescription
    name✔️Query parameter name to match.
    values✔️List of query parameter values to match.
    positiveMatch✔️Indicates the match condition for a policy's trigger.
    valueInRangeWhen true, this matches values inside the values range. Your values must be specified as a range to use this property. When false, this matches values that fall outside the specified range.